develooper Front page | perl.perl5.porters | Postings from March 2017

Re: [perl #129288] null ptr deref, segfault in S_rv2gv (pp.c:296)

Thread Previous | Thread Next
From:
Dave Mitchell
Date:
March 28, 2017 15:32
Subject:
Re: [perl #129288] null ptr deref, segfault in S_rv2gv (pp.c:296)
Message ID:
20170328153210.GZ3342@iabyn.com
On Fri, Jan 27, 2017 at 06:52:50AM +0000, Zefram wrote:
> The test case no longer segvs for me, since v5.25.6-78-g8b0c337.

The code can be reduced to:

    $x = "foo";
    %:: = ($x);
    *$x;

prior to that commit, pp_assign when assigning to a hash with an odd
number of elements on the RHS, ended up using PL_sv_undef as the hash
value rather than a copy of PL_sv_undef. PL_sv_undef as a value in a stash
apparently means something special, so the glob lookup, *$x, crashed.

That commit fixed the bug of storing PL_sv_undef; I'm not sure whether
there's still a bug of *$x crashing if $::{$x} is a pointer to
PL_sv_undef - whether that is legal value etc.

Basically the gv_fetchsv_nomg() call in S_rv2gv() returns NULL, which
S_rv2gv() isn't expecting.

Perl_gv_fetchpvn_flags() has:

    gvp = (GV**)hv_fetch(stash,name,is_utf8 ? -(I32)len : (I32)len,add);
    if (!gvp || *gvp == (const GV *)&PL_sv_undef) {
	if (addmg) gv = (GV *)newSV(0);
	else return NULL;

which is where the test for the magic value PL_sv_undef appears.

-- 
Never work with children, animals, or actors.

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About